The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

CW Security Think Tank: What’s holding up the cloud?

CW Security Think Tank: Are security concerns and a lack of adequate risk assessment tools the reason SMEs are not adopting cloud computing, or is the real reason something else that security professionals are also in a good position to address?

Gartner: cloud can help SMEs in the recession

Small or midsize enterprizes (SMEs) present a significant opportunity for cloud service suppliers. SMEs have always been a natural segment for managed and hosted services; however, during the past 24 months the depressed economy has moved more SMEs towards cloud-based services.

It has been suggested that the reason SMEs, are not adopting cloud computing (cloud sourcing) is that shortfalls exist in the area of risk assessment around this set of infrastructures and associated components.

ISF: risk management needs to be addressed

SMEs (especially the 'S' ones) often do not have the luxury of information security departments, so security and risk concerns are difficult to address - and can stop cloud adoption.

(ISC)2: there is growing acceptance of cloud among SMEs

Numerous articles in the media about the security risks of operating in the cloud contribute to the perception that working in the cloud is a risky business and dampen the enthusiasm of potential adopters. However, recent surveys, including one from Microsoft, reveal that there is growing acceptance of the cloud computing model among SMEs, with 39% of SMEs expecting to be paying for cloud services within three years - one-third more than in 2010.

Cloud Security Alliance: SMEs are already engagged with the cloud

Amazon releases online music cloud player; IBM introduces cloud-based social analytics; Playstation Plus offers game saves in the cloud; Google Cloud Connect gets official launch; New Apple cloud service to launch in spring; Virtual Internet unleashes cheap Microsoft Exchange cloud computing email service. All these were news in one week. Is moving to the cloud avoidable or is it a phobia that time will heal?

The Corporate IT Forum: Cloud offers access to software that would otherwise be cost-prohibitive

There are clear potential benefits for a SME in the cloud. Smaller, and probably quicker to adapt than a large enterprise, the cloud offers the SME access to software that may be cost-prohibitive on a traditional delivery model.

Cloud computing is all around us. Many organisations use it to support their everyday activities, sometimes even without realising. Services such as web hosting, Google Apps for e-mails, Dropbox for file sharing, backup services and others attract the attention of SMEs as these are easy to use and just work, without complicated setup.

BCS: SMEs may not need the cloud

I have to admit I view "the cloud" with some suspicion as I've seen the hype before and the technologies of earlier times are not that different from "the cloud" (remember application service suppliers - ASP's - from the early 2000s).

CW Security Think Tank: What should information security professionals do - and what should they avoid doing - to ensure the success of infosecurity projects?

Gartner:: Treat them as business projects It is safe to say that a large proportion of IT security projects either fail outright or do not fulfill the expectations that were used to justify the project. There are a few reasons that are common across the board for these failures.

CAMM: There are multiple causes of failure There is rarely a single overriding cause of failure for an IT security project. More common is for a number of seemingly small setbacks or deviations to build up until successful delivery is no longer achievable.

CAMM/CSA: Communicate the benefits Unless care is taken to explain the emergent benefits of the project to the stakeholders who will be subject to it, they will see no benefit in it and resist any changes it brings that affect their productivity.

BCS: Young Professionals Information Security Group Security must be seen as a business driver rather than just a cost IT security in general is still often not regarded as a business driver, being seen instead as a necessary cost in mitigating risk. However, the absence of board-level support for a security strategy creates a key reason for projects to fail.

An overwhelming majority of our members participating in the current edition of the (ISC)2 Global Information Security Workforce study have told us that the answer to this question is "no".

In the light of British Airways' recent disclosure that an employee was plotting a terror attack, how well are UK businesses equipped to perform forensic investigations of computer systems?

ISSA UK: Organisations must be prepared The scouting motto "be prepared" saved Maldives president Maumoon Abdul Gayoom from assassination in 2008 when a local Boy Scout stepped in to foil his attacker. Being prepared for a security incident affecting computer systems may not produce such dramatic results, but it will enable an organisation to maximise its potential to use digital evidence while minimising the costs of an investigation.

BCS: First step is to recognise the threat The problem of the internal "black hat" (person intent on doing harm to a computer system) is not a new one. Many organisations choose to implement a system in which they escort staff from the premises when they are made redundant or fired, in order to reduce the risk of damage to systems or the unauthorised removal of sensitive information.

Gartner: Investigations must be done carefully and correctly Human activity is becoming increasingly virtualised. With routine communications and daily activities starting on workstations and taking place across enterprise networks and the internet, it is only to be expected that this is accompanied by a commensurate rise in the levels of undesirable digital activity in the workplace.

(ISC)2: Crime scene must be protected Just because I carry a first aid kit in my car, does that make me equipped to deal with a road traffic incident? Probably not. The intention is clearly there, but when reality strikes...

Corporate IT Forum: Downturn has changed employee attitudes The plotting of terrorist activity is an extreme example of employee misuse of access, but there is little doubt that the deteriorating economy has impacted on the quality of internal business relationships and, ultimately, heightened employee disaffection.

ISACA: Rigorous approach is required More than 70% of UK homes have a computer, with over 93% connected to always-on broadband. In the majority of criminal and corporate cases, somewhere in the background a computer, PDA or cell phone may be lurking - hence the case for computer forensics.

What should information security professionals be doing to ensure their organisations are protected from phishing scams aimed at private enterprise?

ISACA: Experience tells us that the computing world has excelled at the art of untimely acceptance of new vectors of risk Read full article

BCS: Tackling e-mail-based scams and spam starts with reducing the volume of spam by filtering and is completed by the educating the users from the top of an organisation right down to the most junior levels to recognise spam and scams and to delete. Read full article

Trusted Mangement: This topic started a passionate debate among members of The Corporate IT Forum's Information Security Service, with strong advocacy on both sides but no quick or obvious answer. "Who guards the guards?" was an issue raised by some. Others were concerned that agreeing on jurisdiction and legislation across global borders would stall any discussions. Read full article

ISSA UK: Phishing works. If it were unsuccessful then we would not be bombarded with e-mails from former dictators requiring our assistance in exchange for the GDP of a small country. Read full article

Gartner: Protecting an organisation from the damage incurred by phishing and malware scams requires a layered security approach. Read full article

The Corporate IT Forum: Online scams aimed at senior executives or specific functions within the business are potentially very damaging. Read full article

(ISC)2: Phishing scams are not new, just the latest technological means of perpetrating them are. Read full article

Do we need a single cyber-security organisation to secure the internet?

ISF: Security starts with personal responsibility While it is understandable that people like the idea of a single global organisation or agency with overall responsibility for overseeing and securing the internet and all IP-based communications, the concept is simply unrealistic.

Corporate IT Forum: Education first, monitoring second ? This topic started a passionate debate among members of The Corporate IT Forum's Information Security Service, with strong advocacy on both sides but no quick or obvious answer. "Who guards the guards?" was an issue raised by some. Others were concerned that agreeing on jurisdiction and legislation across global borders would stall any discussions.

(ISC)2: We must first agree what needs policing At the crux of the debate is the fact that there is too much governance in the hands of one country, with the majority of organisations handling the governance of domain names and servers based in the United States. This has made it more of a political concern rather than an argument about practicalities.

ISSA UK: Global internet laws may be unachievable Much like the uproar caused when John Postel contacted the operators of the root nameservers in 1998, the creation of a cyber world police will be an equally divisive action. In particular, the challenge will be to determine a set of rules by which all users must adhere to.

ISACA: SOCA could take the mantle In the opinion of many professionals, there is already one particular agency that possesses national focus, and powers, and is involved in dealing with large scale criminal operations (not just regional, or metropolis focused)?

Why is corporate adoption of the trusted computing standard still very low when over 70% of new computing devices have built-in trusted platform modules (TPMs)?

Gartner: Users need to use multiple PCs There are several reasons why actual usage of the trusted platform modules (TPMs) is very low, writes John Pescatore, vice-president and distinguished analyst at Gartner.

(ISC)2: Users resist limits imposed on their freedom From a security manager’s perspective, the Trusted Platform Standard and modules offer the ability to do some remarkable things, technically enforcing the application of encryption, copyright licensing, policies on the use of unauthorised software and the like, writes Hord Tipton, CISSP-ISSEP, CAP, CISA, executive director at (ISC)2.

BCS: Cost of support outweighs the benefits The use of any standard depends on a need (to use a standard) and/or the availability of products that can effectively leverage the particular standard, writes Peter Wenham, committee member of the BCS Security Forum Strategic Panel and director of information assurance consultancy Trusted Management.

ISACA: Users reject Trusted Computing because of privacy and security concerns Trusted Computing, and its various implementations, have been a perennial topic since the mid 1990s, writes Rolf von Roessing, international vice-president at ISACA. The first initiative, such as the "Clipper chip" met with grass-roots resistance, and subsequently industry resistance, as many thought this a misdirected attempt at government supervision and surveillance.

How can businesses assess and mitigate the security threat of networked devices such as printers that have operating systems which can continually re-infect networks with malware?

ISACA: Passwords and encryption strengthen printer security When we conduct a penetration test of a corporate network, we typically find dozens of printers offering management pages without passwords. This means that anyone on the network could not only print to the machine, but also control it, change the print settings and send faxes.

BCS: Responsibility for security of end-point devices must be shared across the business Network scanning technology needs to be capable of addressing the end points to ensure that anti-virus or software updates are run on printers and other connected devices to keep them virus-free and "healthy".

Tif: Risk assessment enables targeted security managementThere is a broad spectrum of serious risks and vulnerabilities to be addressed, in which networked devices re-infecting networks is only one challenge.

ISACA: Strong security builds trust; trust builds businessThe first challenge in attempting to articulate the extent to which security can help business growth is for the enterprise to recognise that security is a business issue, not just a technical one. #

Gartner: Seven ways to align security with the business There is no single tactic or strategy that guarantees success in improving business alignment of security. Rather, a number of varied but interrelated actions need to be identified and executed to improve alignment over time.

ISC(2): Security bridges divide between IT and business As information security grows in stature within the organisation, we in the profession must be careful not to develop any delusions of grandeur. No matter how crucial our efforts may be, we must recognise that we are very firmly cast in a supporting role.

Tif: Protection of customer data makes a strong selling point There is no doubt that security will play an increasingly important role in enabling business growth, but it requires those in the boardrooms of Great Britain to wake up to the real challenges that will threaten their business over the next decade.

What should businesses be doing to assess and manage the security risks of instant messaging?

Corporate IT Forum: The triangle of trust Corporate IT Forum members collectively believe that the triangle of trust around security is policy, enforcement and education. Obviously, individual organisations must decide how far they want to go with each of these, depending on the nature of the risk and its potential impact on the business.

BCS: Mitigate risks with security awareness and access control The first thing any company should do is to ensure they have a comprehensive set of acceptable use policies (AUPs) covering such things as IM, e-mail and internet access. They must also ensure that staff are aware of the various AUPs and sanctions for abuse of an AUP.

ISSA: No silver bullet for instant messaging security Introducing new communication channels for business also becomes a new delivery channel for malware and spam (or spim - spam over instant messaging). The popularity of IM is not lost on those that propagate such unwanted traffic.

(ISC)2: Educate, monitor and block My advice to companies would be to allow it internally, but to block any IM activity with the outside world. That way, the chances of connecting inadvertently with a stranger and disclosing company information, or of clicking on a malicious link, would be reduced.

Gartner: Comprehensive web security IT organisations must recognise that instant messaging (IM) is no more or less secure than any internet-facing application. It is really just one of the issues to consider when developing a comprehensive solution that will protect organisations from all types of Web2.0/internet threats.

What qualifications, technologies, sectors and networking events should IT security professionals be looking at to help increase job security and further their careers?

ISF: Bridge the gap between IT and business to dodge layoffs The profession is changing: there seems to be a bigger drive for consultants with a greater understanding of business (and how it works) and a need for people who can 'bridge the gap' between technology and business. Technology specialisms are also likely to be in demand.

Gartner’s tips for furthering your IT security career Gartner has seen a dramatic increase in programme maturity over the past 10 years. Tools are still important pieces of the puzzle, but scalable, repeatable processes are now at the centre of security programmes.

(ISC)2: Keep your finger on the pulse and stay relevant Currently there is a huge interest in cloud computing and all that involves. It is certain that businesses will want to take up this business model and that security professionals who understand the threats and vulnerabilities and have looked at ways of using this technology securely will be in demand.

Are information security risks really increasing with offshoring and outsourcing and how can the IT security professional assess and mitigate the risk?

BCS: Remember you are outsourcing process, not legal responsibility Intuitively, the belief is that security risks are raised when outsourcing or offshoring. But, if you analyse it, I doubt that there is any real increase in risk, providing the vendor selection process is conducted properly and the results are fed through to the contract stage.

ISF: Get in early to mitigate outsourcing data risks Consistently the biggest information security problem associated with outsourcing has been in being late to the party. Finding out about the outsourcing deal after it had been signed, not being invited to participate in the vendor assessment process and realising that security was not part of the deal.

ISACA: Reality check your outsourcing risk This is of course something of a trick question, or should be. All organisations need to begin any risk assessment for existing outsourcing contracts from an operational risk perspective.

Gartner: Define a process to protect data when offshoring Offshore outsourcing is an emotive topic, and the security and privacy risks specific to offshoring can often be perceived, rather than real. Indeed, many companies have significant challenges managing security requirements with third parties regardless of location.

Application security is a growing area of concern, but what can UK businesses do to ensure the applications they buy today are not going to be security threats of tomorrow?

ISSA UK: Defence in depth is key to application-level security Having objective safety information is critical to the selection of a product that demands security for its users. For IT managers, such critical information for deciding which application is best for running the payroll is likely based on vendor assurances.

Gartner: Technologies for application-level security As attacks become more financially motivated and as organisations get better at securing their network, desktop and server infrastructures, there has been a shift in attacks to the application level. To address those new risks, several technology markets for application security have emerged.

How can business ensure security technologies are aligned with work processes so that it is easy for end-users to do the right thing and not circumvent controls?

ISF: Get processes right, and the security will follow Many organisations still fall into the trap of selecting a security technology and then attempting to retro-fit a process around it. Often the resulting process is clumsy, encouraging users to make short cuts, or to simply perform tasks in a roundabout way. So, instead, reassess the problem in hand, design a new process and once that is right the appropriate security technologies should be easier to identify.

BCS: Security must be compatible with working practices Many security technologies do not appear to be effective because they do not fit in with the way people work. Users often ignore, avoid or circumvent anything that makes it difficult for them to do their jobs. And why would they not?

Gartner: Raise awareness of security measures Internet and IT risk have an impact on all employees, and controls required to mitigate these risks will inevitably constrain or hamper the activities of all users. A reality of human behaviour is that whenever controls are implemented that affect what people do, many of them will modify their behaviour in unexpected or undesirable ways.

(ISC)2: Accountability is key to security Unfortunately the accountability of the user is yet to be well understood, which leads to error or justified flouting of the rules, often with management support, in order to get a job done. This presents a colossal task for the security manager to ensure employees understand the whys and wherefores of what is being asked of them.

Full disk encryption is expected to be the top security technology to be tested or adopted this year, what are the challenges and benefits likely to be?

Assess your software - and hardware-based full disk encryption options There are still plenty of people who believe that a strong Windows password will protect the contents of their laptop. However, the truth is that anyone with physical access to your laptop can also have full and unrestricted access to your data, unless you have encrypted the hard disk.

ISSA UK: Business rewards make risk worthwhile The latest buzzwords are security as a service. The term refers to the delivery of traditional security applications as an internet-based service. It is not a new term, making its first appearance in 2001 when McAfee filed a patent for the delivery of security software as a service over the internet.

The Corporate IT Forum: Rewards outweigh security drawbacks It is now over a year since we tested corporate attitudes towards outsourced security services and found that many Corporate IT Forum members were routinely outsourcing security functions such as spam management, e-mail virus and vulnerability scanning for external threats. We established that members felt comfortable and confident with the services provided, with many regarding them as cost-effective and sound business choices.

With the bank failures of recent weeks, more pending redundancies and a continuation of the downward slide, should we be concerned about lax security? Is someone minding the store while all this is going on or should we be doing something more when the banks are going bust?

BCS: Secure employee access to prevent insider threat Even an organisation with very good security can find it is effectively more vulnerable than an organisation with poor security if it is going through a period of change, such as redundancies, cost-savings, mergers or outsourcing.

(ISC)2: Guard business assets against increased threat The value of business assets, (for example, intellectual property, client data and service availability, managed in-house or via third parties) does not diminish during a downturn. During such time, there is an increased emphasis on the identification of key business assets and the mapping of a formal, consistent, and proportionate security strategy.

ISACA: Don't let turmoil distract attention from security While most enterprises in financial services have generally understood the need for high levels of security and have applied themselves to implementing and managing effective and appropriate security measures, there is little doubt that risk will have increased throughout and following any major market upheaval.

ISF: Security is not primarily a technical issue The great myth associated with information security is that the risks are primarily technical. However, practitioners in the trenches know better the greatest vulnerabilities organisations face are down to human behaviour.

How do you protect from malware your mobile employees and customers, who lie beyond the network frontier?

Tif: Boundaries are blurring The notion of a boundary existing between "locked down" IT systems inside the corporate network and everything else operating outside it does not make as much sense as it once did.

ISF: Extend the security perimeter By and large, corporates have solved the problem of protecting the security of workstations against malware in their own internal environment.

ISACA: Constantly mutating challenge The idea that enterprises have made great progress in locking down their infrastructure to protect end-users from malware may not be totally accurate.

In view of the cyber-warfare dimension to the Russia-Georgia conflict, and the Chinese cyber-espionage ongoing against the west since c.2003 ("Titan Rain", and so on), how concerned should we in the UK be about state-sponsored hacking?

Social networking sites: what are the associated risks at a corporate and at an individual level?

Gartner: at-a-glance guide to social networking risks Multiple worms and viruses have been introduced to various social network environments. Content distribution within a social network parallels peer-to-peer environments and can support rapid distribution of malware embedded in applications and graphics

BCS: Individual risks become corporate risks As a result of the strong human desire to connect, social networking websites have encouraged online behaviour where security and privacy are not always the first priority. The key cause for concern is the late realisation of the open nature of the web and thus how much personal information has been left exposed to any passing stranger.

Tif: Limit your liability from social networking The main risk of social networking comes from the blurring of a participant's professional and personal profile. Very often, social networkers align themselves with professional networking groups that indicate clearly who employs them and what their job function is. Potentially, this can make it very easy for criminals to harvest information that can be used against them or their companies - so called "social engineering".

NCC: Social networking security is a people issue It is an enticing technology but few of the associated risks are really technology problems. It is no different from that old managerial adage of "less gob, more job". And heavy handed bans are unlikely to mitigate the risks. You may curtail the workplace access, but you cannot control the cybercafe or home PC without instilling staff with a risk-literate attitude.

ISSA: Would you shout your details in the street? The danger of giving too much information away on social networking sites is of significant concern. Even information that seems innocuous, such as date of birth and postcode can be used for nefarious motives. How many times is this sort of information used as a challenge when speaking to a call centre operative to prove your identity?

ISF: A greater social networking threat on the horizon Last year, Facebook purchased Parakey, a start-up from two of the creators of Firefox that promises a web-based operating system designed to bridge the gap between desktop and web and make it easier to move content between the two. How long will it be before one of these sites gives simple remote access from PC to PC?

(ISC)2: Policies hold key to social networking security threat The rapid take up of social networking sites offer cyber criminals and mischief makers a new large target. Remind colleagues not to use any workplace e-mail addresses or passwords on these websites. Many of these websites do not encrypt user log-on details. Passwords and user IDs transmitted in clear text across the public internet are subject to possible interception or compromise.

Indications are that remote working was able to reduce the financial impact for those companies that have enabled it, but very few small and medium businesses have the budget or technical ability to implement and manage secure virtual private networks (VPNs) with sophisticated network access control.

Remote working - how risky is it and what can small businesses do to enable it securely?

ISACA: Low-cost and secure remote working is achievable for SMEs Remote working is commonplace in the corporate world, but many small business have still to take advantage of a secure method to permit their staff to connect back to the office when they are working at home or travelling. Whilst there are low-cost, adequately secure alternatives, small businesses are generally unaware of the technology or the risks of a poor implementation.

ISSA: Remote working is not all or nothing Remember looking out of the window and being greeted with a blanket of snow? The very hint of no school and a day in the snow is every kid's dream. This attitude changed one day, and the only thought was the impending journey into work because a day out of the office is surely unthinkable.

ISF: Remote working is a challenge for companies of all sizes Even large organisations struggle to secure remote working - and that is with multi-million pound budgets, 24x7 support and dedicated technical teams. Small businesses are exposed to the same risks, may not have any of these controls, yet would still like the flexibility and convenience that remote working offers them.

ISACA: more complexity delivers security, but not without cost We are all familiar with the following string of characters '12345' - according to some articles it was the most commonly used password at the dawn of the internet. The problem with passwords is that they are generally easy to guess and are often easily compromised.

Gartner: What matters is risk-appropriate authentication Ant Allan, research vice-president at Gartner, says a glib answer to the first part of the question would be, "No. We have already passed that stage." But that would not be universally true. Legacy passwords are vulnerable to a wide variety of attacks, but they can still provide appropriate levels of assurance and accountability in some low-risk situations. Gregg Kreizman, research director at Gartner, says there is a future in federated identity. But is it a bright future in which every organisation must support identity federation? No.

ISF: Federated identity services may be the way forward In a world where users expect access any time, any place, anywhere, the days of an employee just sitting at an office desk in front of a desktop PC and accessing 'the network' by entering a single username and password are long gone. The employee may be a contractor or outsourced, and the desktop replaced by a laptop, smartphone or PC at home or in an Internet café. Users now access a far wider set of applications, services and other information sources.

ISSA: Strike a balance between security and co-operation Suggestions that the life of passwords is at end for information systems have been mooted for a number of years. However, much like the wholesale adoption of single sign-on, such assertions have failed to materialize. The logic behind their demise is understood; passwords have a number of vulnerabilities that range from non-repudiation, subject to guessing, brute-forcing, etc.

The Corporate IT Forum: Users are human and part of the risk matrix Secure user authentication is a difficult balancing-act for IT security professionals. There needs to be a careful balance between accessibility and the requirements of secure networks and systems. With users increasingly emanating from federated business environments (such as online customer and colleague communities, remote, mobile and global workforces) the requirement to validate the integrity of the user has become a top priority.

What are the security risks associated with social-media use, and who owns these risks?

Deeper relationships must be balanced with reputational risk, but an outright ban puts social media beyond policy control. Content-based risks are trickier than technological threats, so the fundamental issue is not the technology but the information – which begs the question of whether the business can justifiably manage something that is social and organic?

What should security professionals do about Stuxnet?

Technology alone is not the answer, and widespread education is needed. Basic security measures can be effective, but make sure systems are isolated and protected. Employees must be kept alert to the dangers, and open-source intelligence can help find out find out if you are a target. Also, look at both whitelisting and blacklisting

How to prevent security breaches from personal devices in the workplace

January represents a significant challenge for the security professional; this will be the time employees bring in their new consumer electronic devices into the office with the expectation that they can use them at work. Regardless of corporate policy, organisations are being challenged on an almost daily basis to provide support for a range of devices often designed for consumer use.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy